SENAMI: A Hybrid Approach to Monitoring Critical Infrastructure

By William Jardine,
4 November 2016

The systems at the heart of much of the world’s critical national infrastructure are worryingly insecure and liable to attack. Could a new hybrid detection method be an answer to deterring such attacks?

High profile breaches in recent years, such as those suffered by Ukraine’s power grid and Iran’s nuclear plant Natanz, have exposed flaws in so-called Industrial Control Systems (ICS) – namely they were not designed and deployed with security in mind and, due to this, applying and maintaining security is infeasible, impractical or costly.

ICS are an established way of controlling processes such as manufacturing, water treatment and energy and power production. However due to the importance of 100% uptime and availability of this critical infrastructure, security updates to ICSs are often difficult to enact.

The focus therefore has become protection and detection: Intrusion Detection Systems (IDS) are deployed to provide awareness of any ongoing attacks against ICS networks.

Yet here again, infrastructure operators encounter a problem in that current IDS used on ICS are largely “passive”. They generate no new network traffic and perform detection based purely on existing network traffic, using open-source solutions as well as more bespoke, proprietary ones. A well-resourced and powerful attacker can evade these detection methods, if indeed detection systems have been enabled in the first place. In the case of the Natanz plant, a highly sophisticated piece of malware called Stuxnet allowed attackers to take control of 1,000 machines involved with producing nuclear materials and interfered with highly privileged physical operations and their monitoring.

An alternative detection approach is that of an “active” IDS. These interact directly with the controlling device of an ICS network and retrieve internal values from it. However, this more active approach is resource-intensive and involves a higher level of risk that the old ICS devices will be overloaded. As a result, active techniques are rarely implemented, leaving infrastructure suppliers with a quandary – either use a passive approach and not be made aware of a sophisticated attack until it is well underway, or use an active approach that could very well overload the sensitive ICS controllers and potentially cause more damage to the system than an attacker.

Now however, research undertaken by MWR’s William Jardine during his time as a student at Lancaster University, together with three other cyber security researchers from the institution, has highlighted improved detection rates possible with a new hybrid approach to form a practical and minimally intrusive active monitoring solution.

Selective Non-Invasive Active Monitoring (SENAMI) is a combination of a largely passive IDS with selective elements of active monitoring and was demonstrated for Siemens S7 ICS environments. S7 devices account for more than 700 internet-connected controllers in mainland Europe alone. S7 devices are also famous for being the system that was used by the Natanz facility targeted by the Stuxnet bug.

Specifically, SENAMI performs active monitoring, but on a smaller, more context-based scale. Rather than reading in hundreds of values at once, SENAMI reads in only three, pre-determined to be critical to the operation of the S7 ICS. This approach has been found to increase the difficulty for an attacker trying to evade detection mechanisms, compared with a purely passive IDS, without overwhelming the whole operating system on which the ICS sits.

For operators using Siemens S7 ICS, the risks highlighted in William and the rest of the team’s work should be at the forefront of security policies. At present, it is possible for an attacker with a foothold in a network to evade detection of a passive IDS and execute a value tampering attack – ie one that disrupts the monitoring of key processes. These attacks can potentially cause huge amounts of physical damage to critical infrastructure while remaining undetected. It was reported that Iran was forced to decommission around 20% of its centrifuges in the Natanz plant during attack.

SENAMI significantly increases the difficulty of executing such attacks and makes it a much less appealing attack vector for an ICS attacker.

The creators of SENAMI also believe this work highlights the importance of the need for bespoke security for ICS. SENAMI represents a specific solution for legacy Siemens S7 environments, but similar specific research must be done for each unique ICS environment.

MWR has noted that a driving factor behind work being done to improve IDS and their remit over ICS appears to be regulation or fear of regulation rather than risk of cyber attack damage. As can be seen from publically reported cyber attacks against ICS, this risk is slowly but steadily increasing. Unless infrastructure operators take seriously the threat posed by running old ICS without the necessary protection in place, future events similar to the Ukraine and Iran attacks are a distinct possibility, especially as cyber attacks climb higher on the agendas of political powers and practitioners of corporate espionage.

The SENAMI paper was presented by Jardine at the 2nd ACM workshop on Cyber-Physical Systems Security and Privacy (CPS-SPC), co-located with the 23rd annual CCS conference in Vienna on 28th October, and can be read in full here.

MWR InfoSecurity provide specialist advice and solutions in all areas of cyber security, from professional and managed services, through to developing commercial and open source security tools. More about MWR.